Which identities should you enable for Kerberos constrained delegation?

You plan to deploy a PerformancePoint dashboard that will display data from a cube hosted in
Microsoft SQL Server Analysis Services.
The following identities are used by services and application pools:
The Claims to Windows Token Service process identity is contoso\C2WTS.
The PerformancePoint application pool identity is contoso\SPPPS.
The Secure Store application pool identity is contoso\SPSSS.
The SQL Server Analysis Service identity is contoso\SQLAS.
You need to ensure that when a user connects to the dashboard, the user’s credentials are used to
connect to the cube. Which identities should you enable for Kerberos constrained delegation? (Each
correct answer presents part of the solution. Choose all that apply.)

You plan to deploy a PerformancePoint dashboard that will display data from a cube hosted in
Microsoft SQL Server Analysis Services.
The following identities are used by services and application pools:
The Claims to Windows Token Service process identity is contoso\C2WTS.
The PerformancePoint application pool identity is contoso\SPPPS.
The Secure Store application pool identity is contoso\SPSSS.
The SQL Server Analysis Service identity is contoso\SQLAS.
You need to ensure that when a user connects to the dashboard, the user’s credentials are used to
connect to the cube. Which identities should you enable for Kerberos constrained delegation? (Each
correct answer presents part of the solution. Choose all that apply.)

A.
contoso\C2WTS

B.
contoso\SPPPS

C.
contoso\SPSSS

D.
contoso\SQLAS

Explanation:
The Kerberos protocol supports two kinds of delegation, basic (unconstrained) and constrained.
Basic Kerberos delegation can cross domain boundaries in a single forest, but cannot cross a forest
boundary regardless of trust relationship.
Kerberos constrained delegation cannot cross domain or forest boundaries in any scenario.
The account you use for C2WTS also needs to be configured for Constrained Delegation with
Protocol Transitioning and needs permissions to delegate to the Services it is required to
communicate with (i.e. SQL Server Engine, SQL Server Analysis Services).
The following service applications and products require the C2WTS and Kerberos constrained
delegation:
Excel Services
PerformancePoint Services
Visio Services
The following service applications and products are not affected by these requirements, and
therefore can use basic delegation, if it is required:
Business Data Connectivity service and Microsoft Business Connectivity Services
InfoPath Forms Services
Access Services
Microsoft SQL Server Reporting Services (SSRS)
Microsoft Project Server 2010

The following service application does not allow delegation of client credentials and therefore is not
affected by these requirements:
Microsoft SQL Server PowerPivot for Microsoft SharePoint

Show Hint

Leave a Reply 0

Your email address will not be published. Required fields are marked *